This invention relates to access control systems for communications systems, and in particular for information-sharing services.
In recent times businesses have begun to require more control and oversight of their relationships with their customers, partners, supply chain, value chain and the market ecosystem or community in which they operate. This has been reinforced by systemic regulation e.g the “Dodd Frank” Act (Wall Street Reform and Consumer Protection Act) of 2010 in the United States of America, and equivalent legislation in other jurisdictions.
An important aspect of this requirement is the ability to self-organise securely, such that the organisation can have a consistent identity in its interactions with other organisations with which it is in communication.
However, tightly-coupled application architectures impose a set of compromises on the ability to work between different organisations, and limit flexibility and responsiveness. Moreover, applications and processes are impeded by necessary security requirements when they are made available beyond the boundaries of the organisation providing them. Dealing with these conflicts is important to the success of the enterprise in the market ecosystem.
The present invention provides the ability to define a secure unified identity for individuals, roles, organisational units and cross-organisational teams, to allow information to be shared between users in different organisations in a controlled, reliable and convenient way.
In prior art systems, an example of which is described in International Patent Application WO2007/068716 (IBM), a mesh of technical agreements is required between the individual organisations, for example code-of-connection contracts formed through the bilateral exchange of metadata. This then requires access control systems to be set up between each pair of organisations to ensure data and services are only accessible by, and supplied by authorised personnel of the organisations concerned, requiring each entity to set up and maintain a profile with each other entity with which it is to operate. This arrangement is not readily scaleable.
Such systems are difficult to use, as a user has to navigate the individual security gateway of each service provider in order to access its services. Personnel changes are difficult to track, as each organisation that has access to the services of other organisations has to inform all the other organisations of any changes in personnel, and in particular changes to their authority to access the services.
According to the invention there is provided an authentication server for controlling access to a plurality of service provision systems by a plurality of service user systems, comprising                a first interface for communicating with the service user systems,        a second interface for communicating with the service provision systems,        a store for maintaining authorisation concordances between the service user systems and the service provision systems,        an identification system for requesting and receiving data from each user terminal, by way of the first interface, indicative of the respective service user system with which it is associated,        a mediating system for mediating responses between user terminals and service provision systems to generate authorisation for access to predetermined service user systems, and        transmission means to forward authentication data to the service provision systems by way of the second interface.        
The invention also provides a data access system comprising an authentication server having the features specified above, in combination with at least one service provision edge unit arranged to control access to a plurality of data services under its control and at least one identity provision edge unit arranged for service user identity management to control access to a plurality of data services by service users under its control, wherein the service provision edge units are configured to forward requests for service made by service users to the authentication server and to receive authentication confirmation from the authentication server, and the identity provision edge units are configured to respond to identity requests from the authentication server by initiating an authentication process with the service user making the request, and reporting the outcome of the authentication process to the authentication server.
The invention also provides a method of authenticating access requests to a plurality of service provision systems made by a plurality of service user systems, wherein                access requests are transmitted by user terminals to service provision systems,        and forwarded by the service provision systems to an authentication server,        and for each request forwarded by a service provision system, the authentication server identifies a service user system associated with the user terminal making the request, and communicates with the associated service user system to verify the authenticity of the user terminal,        if verification is successful, the authentication server transmits a verification of the access request to the service provision system from which the request was forwarded, to authorise the access request made by the user terminal to the service provision system        
The identification of the service user entity associated with the user may be initially performed by a challenge and response process, and the association thus identified is maintained in a concordance store for a predetermined duration to facilitate subsequent access requests initiated by the same user terminal.
Attributes of service users can be stored by the authentication server for use by the service provision systems, the shared authentication server filtering the attributes to be transmitted in response to service requests, such that attributes necessary for fulfilment of a service request are transmitted to the respective service provider, and attributes not necessary for fulfilment of the service request are omitted.
When the authentication server initiates an authentication process between a service user system and an individual user of the service, it may receive authentication confirmation from the service user system, and forward the authentication confirmation to the service provider.
The provision of such a shared authentication server allows the individual service providers and users to be organised as a federated group. Any number of user domains (also referred to herein as Identity Providers or IdP's) and service providers (SP's)) can interoperate multi-laterally, without compromising organisational security or exposing personally identifiable information. The invention operates by arranging that each user has a unique definition of identity and profile, whose validity can be recognised by all servers in the federated group through the medium of the shared authentication server.
In contrast to the multitude of bilateral agreements required to operate existing systems, the present invention makes it possible for each service (application) provider to require just one technical agreement with the shared authentication core server, instead of separate agreements with each organisation in a community. Similarly, each user organisation can operate with just one technical agreement with the Federation Core server, instead of one with each Service provider. An organisation may, of course, operate as both service provider and as a user of other services.
The invention uses the user identity as its central organising principle, by ensuring that each user has a unique definition of identity and profile. The federated context means that any number of user domains (IdP's) and service providers (SP's) can interoperate multi-laterally, without compromising organisational security or exposing personally identifiable information.
Attestation tools can be provided for members of the community to conduct regular attestation of the users for which they are responsible, and their profiles. Attestation provides a starting point from which each member's attested users can confirm other users' identities, so that communication with other users and service providers can be conducted securely.